topic Re: Require serial number match? in GlobalProtect Discussions

Require serial number match?

AProwant — Sun, 07 Aug 2022 04:08:20 GMT

We are running 10.2.2 w/ GP 6.0.3 and I am unable to figure out how to have my serial number (discovered via HIP) be required to match what is in AD. Could someone please show me which way to go? Support and my sales engineer have been unable to assist.

Thank you,

Andy

Re: Require serial number match?

aleksandar.astardzhiev — Mon, 08 Aug 2022 10:01:59 GMT

Hi @AProwant

Unfortunately I don't have personal experiance (hope one day to have the same in our environment), but I believe you need the following:

- You need Group Mapping with enabled "Fetch list of managed devices". This will tell the firewall to pull the serial number of AD computers over LDAP - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-server-profiles-ldap

- Create HIP object that as "Managed" set you "yes under General Tab -> Host Info

Once you enable fetching device list in group mapping you should be able to see the list of retrieved devices with:

> show user ldap-device-serialno all

If you don't see it either:

- the service account you use for the LDAP doesn't have enough permissions

- The serial number is not set as attribute for the computer objects in the AD - https://www.reddit.com/r/paloaltonetworks/comments/n1pe2p/global_protect_hip_check_machine_account_exists/

Re: Require serial number match?

AProwant — Tue, 09 Aug 2022 02:09:23 GMT

Thank you so much. That worked perfectly!

Re: Require serial number match?

IBisonni — Thu, 05 Sep 2024 13:51:12 GMT

Hi,

I'm currently experiencing the same issue.

We currently have a working LDAP connection to MS AD that is used for user group identification on GP HIP and works without issues.

We are trying to identify machines through Serial Number for that purpose we have:

On Device > User Identification > Group mapping settings > Fetch list of managed devices: YES
On Network > GlobalProtect > Portal > Agent (new) > Config Selection Criteria > Device Checks > Serial Number Check > Machine account exists with device serial number: YES
On Network > GlobalProtect > Portal > Agent (new) > HIP Data collection > Collect HIP Data: YES
On Objects > GlobalProtect > HIP Object (new) > host info > HIP Managed: YES

On MS AD we have create a user group with the name and cn matching the serial number of the test pc
And we have added this new group into Group mapping settings > Group include list.

Unfortunately we keep on been unable to match the serial numbers because we are not receiving them from LDAP.

> show user ldap-device-serialno all

ID|SerialNumber|Manged_by_AD|LastUpdateTime

Please can you let me know the MS AD > LDAP side of the config that you did for this to work? And if anything else was done in the firewall side?